CVE-2025-24893

Name of the Vulnerable Software and Affected Versions XWiki versions 5.3-milestone-2 through 15.10.10 XWiki versions 16.0.0-rc-1 through 16.4.0 XWiki version 16.4.1 XWiki version 15.10.11 XWiki version 16.5.0RC1

Description XWiki Platform allows any unauthenticated user to execute arbitrary remote code through a request to the

SolrSearch

endpoint. This impacts the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability stems from improper handling of input within the

SolrSearchMacros

component, specifically related to the processing of RSS feeds. Attackers can inject and execute Groovy code via the

SolrSearch

macro, potentially leading to full system compromise. The vulnerability has been actively exploited in the wild, with reports of attackers deploying cryptocurrency miners and utilizing compromised systems for DDoS attacks. The

SolrSearch

endpoint is vulnerable when the

media

parameter is set to

rss

. The vulnerable parameter is

text

, which accepts Groovy code for execution. The RCE is achieved by sending a specially crafted HTTP request to

/xwiki/bin/get/Main/SolrSearch

.

Recommendations XWiki versions 5.3-milestone-2 through 15.10.10: Upgrade to a version prior to 15.10.11. XWiki versions 16.0.0-rc-1 through 16.4.0: Upgrade to a version prior to 16.4.1. As a temporary workaround, edit line 955 in

Main.SolrSearchMacros

within

SolrSearchMacros.xml

to match the

rawResponse

macro in

macros.vm#L2824

with a content type of

application/xml

.